Timely analysis of event logs from internet-facing servers
Regularly check logs from online servers to quickly spot security issues.
Plain language
Regularly checking the logs from your internet-facing servers is akin to keeping an eye on your store's front door. If you don't review them frequently, you might miss signs of a cyber attack that could harm your business. By examining these logs promptly, you can catch potential security threats early before they cause severe damage.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.
Why it matters
If internet-facing server logs aren’t analysed promptly, intrusions and suspicious activity may go unnoticed, increasing the chance of data theft, malware spread or service disruption.
Operational notes
Review internet-facing server logs daily (or near real-time) via SIEM; alert on suspicious auth, web errors and admin changes, and escalate confirmed incidents within defined timeframes.
Implementation tips
- Security officer: Establish a schedule for when event logs should be analysed, ensuring it's a regular task.
- IT team: Set up automated alerts for unusual activity in event logs from internet-facing servers to ensure prompt detection.
- System administrator: Use a log management tool to collect and consolidate logs, making analysis more efficient.
- IT manager: Allocate resources and time for staff to analyse event logs consistently as part of their routine duties.
Audit / evidence tips
- AskHow often are the logs from your internet-facing servers reviewed?
- GoodLogs are reviewed daily or weekly, with a set schedule visible
- AskWhat happens if an unusual event is detected in the logs?
- GoodThere is a clear, documented process to investigate abnormal log entries, with past examples of successful resolution
Cross-framework mappings
How E8-MF-ML2.8 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.15 | E8-MF-ML2.8 requires timely analysis of event logs specifically from internet-facing servers to detect cyber security events | |
| Annex A 8.16 | E8-MF-ML2.8 focuses on timely analysis of event logs from internet-facing servers to detect cyber security events | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1228 | E8-MF-ML2.8 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-0634 | E8-MF-ML2.8 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| ISM-1030 | E8-MF-ML2.8 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| ISM-1907 | ISM-1907 requires timely analysis of logs from non-internet-facing servers to detect cyber security events | |
| ISM-1961 | E8-MF-ML2.8 requires organisations to analyse event logs from internet-facing servers in a timely manner to detect cyber security events | |
| ISM-1986 | ISM-1986 requires event logs from critical servers to be analysed in a timely manner to detect cyber security events | |
| handshake Supports (1) expand_less | ||
| ISM-0580 | ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored | |
| extension Depends on (3) expand_less | ||
| ISM-0988 | E8-MF-ML2.8 requires organisations to analyse event logs from internet-facing servers in a timely manner to detect cyber security events | |
| ISM-1405 | E8-MF-ML2.8 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| ISM-1978 | E8-MF-ML2.8 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| link Related (2) expand_less | ||
| ISM-1906 | E8-MF-ML2.8 requires event logs from internet-facing servers to be analysed in a timely manner to detect cyber security events | |
| ISM-1987 | ISM-1987 requires event logs from security products to be analysed in a timely manner to detect cyber security events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.